You may have recently heard reports or seen news about a security bug called “Cloudbleed” affecting sites served by Cloudflare. Envato delivers some websites using services provided by Cloudflare, however Cloudflare have confirmed that none of our websites are directly affected by this security bug. Cloudflare published a detailed explanation of what the bug is and how it came to be, you can read it on their blog.
UPDATE Since the original publication of this post, Cloudflare have released a follow up blog post with information they have learned in their investigations. The second article focuses more on explaining the real-world impact of the bug, rather than the technical details.
How does the security bug impact you?
The security bug has caused a very tiny percentage of requests served through Cloudflare to contain information from other unrelated sites. In an even smaller percentage of cases, some of this leaked information included usernames, passwords, and other private information.
Envato takes security very seriously, so as a precautionary measure we have:
- Expired all current login sessions on all Envato websites that use Cloudflare services. Despite being extremely confident session data was not exposed by this bug, we took this step to make 100% sure that even if session data was exposed it was no longer valid and could not be used to access your account.
- Replaced all credentials that Envato systems use with other service providers that may have also been affected by this bug.
Whilst we are confident no usernames or passwords to Envato websites were leaked through Cloudflare if you used the same password somewhere else it may have been compromised. If you are at all unsure we recommend changing your password.
Change your Envato Tuts+ password here.